CVE-2026-27205

MEDIUM

CVSS v3

4.3

MEDIUM

EPSS Score

0.0%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk d

Technical Details

CVSS v3 Vector
3.1
Published
2/21/2026
Last Modified
2/24/2026

Frequently Asked Questions

What is CVE-2026-27205?

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk d

Is CVE-2026-27205 actively exploited?

Active exploitation of CVE-2026-27205 has not been confirmed. The EPSS score is 0.0%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-27205?

CVE-2026-27205 has a CVSS v3 base score of 4.3 (MEDIUM severity), with vector string 3.1.

Is CVE-2026-27205 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.